Information processing device, access control processing method, and computer program

ABSTRACT

An apparatus and a method which enable to execute different access controls based on setting modes are realized. A MAC address table in which a manually registered client MAC address and an automatically registered client MAC address are registered in forms to be able to distinguish each other is set. If an access control mode is an automatic registration access control mode, a MAC addresses of an access requesting client is registered until the number of the MAC address reaches a defined limit number of registration: N of the MAC address table, and the access is allowed under the condition of the registration; or if the access control mode is a registered device access control mode, the access is allowed under the condition that the client MAC address is registered in the MAC address table as the manually registered MAC address.

TECHNICAL FIELD

The present invention relates to an information processing apparatus, anaccess control processing method and a computer program. Morespecifically, it relates to an information processing apparatus, anaccess control processing method and a computer program, which executean access control process based on the determination of access authorityin communication between network-connected devices.

BACKGROUND ART

Owing to the recent diffusion of a data communication network, aso-called home network, in which a home electric appliance, a computerand other peripheral devices are connected through a network in home soas to allow the communication between the devices, is spreading. Bycarrying out the communication between network-connected devices, thehome network offers convenience and comfort to a user such as to allow adata processing function of each of the devices to be shared and totransmit/receive the contents between the devices. Thus, it is estimatedto become more and more popular in the future.

As a protocol suitable for constructing such a home network, an UPnP(registered trademark) is known. The UPnP allows easy construction of anetwork without any complicated operations and permits anetwork-connected device to receive a service provided by each of theconnected devices without any difficult operations or setting. Moreover,the UPnP is advantageous in that it is not dependent on an OS (operatingsystem) on a device and therefore allows easy addition of a device.

In the UPnP, the connected devices exchange a definition file inconformity with XML (eXtesible Markup Language) for mutual recognitionbetween the devices. The outline of processing of the UPnP is asfollows.

(1) Addressing process for acquiring its own device ID such as an IPaddress.

(2) Discovery process for searching each device on a network to acquirea response from each device so as to acquire information such as devicetype or a function contained in the response.

(3) Service request process for making a request for a service to eachdevice based on information acquired by the discovery process.

By implementing the above-described processing procedure, a service canbe provided and received using network-connected devices. A device to benewly connected to the network acquires a device ID by theabove-described addressing process and acquires information of anotherdevice connected to the network by the discovery process. A request fora service can be made to another device based on the acquiredinformation.

On the other hand, however, it is required to consider thecountermeasure against unauthorized access in this kind of network. Adevice in the home network, for example, a server or the like, storesthe contents requiring the copyright management such as private contentsor pay contents in many cases.

Such contents stored in the server in the home network can be accessedfrom other devices connected through the network. For example, thecontents can be acquired by a device implementing the UPnP connectionwhich corresponds to the above-described simple device connectionstructure. In the case where the contents are video data or music data,if a TV or a player is connected as a network-connected device, a moviecan be enjoyed or music can be listened to.

Although access made by a device connected by a user who owes the rightsto the use of the contents may be allowed, even a user who does not ownthe rights to the use of the contents or the like can easily get intothe network in the network configuration as described above. Forexample, in the case of a network constructed by a wireless LAN,unauthorized participation in the network may occur by using acommunication device from outside, a next door or the like to a serverin home so as to exploit the contents. A configuration permitting suchunauthorized access generates secret leakage and also becomes a seriousproblem in view of the management of the copyright of the contents.

In order to exclude the unauthorized access as described above, aconfiguration of, for example, making a server possess a list of clientswhose access is allowed and executing a collation process with the listin the server upon an access request to the server from a client so asto exclude unauthorized access has been proposed.

For example, MAC (Media Access Control) address filtering for setting aMAC address corresponding to a physical address unique for anetwork-connected device as an access allowable device list is known.The MAC address filtering is that a MAC address whose access isallowable is registered in advance on a router or a gateway forisolating an internal network (sub-net) such as a home network and anexternal network from each other, and then collates a MAC address of areceived packet with the registered MAC address so as to refuse theaccess from a device having an unregistered MAC address. This kind oftechnique is disclosed in, for example, Japanese Patent ApplicationPublication No. 10-271154 (Patent Document 1).

Generally, in order to implement the registration process of the MACaddress for restricting the access, however, such a process is requiredthat a user or an administrator searches for the MAC address of a deviceto be connected to a network and an operator enters the searched MACaddress to create a list.

In the home network, the addition of a new device frequently occurs. Ifthe user has to search for the MAC address of a device to implement theregistration process at each device addition process as described above,the facility of the network construction is hampered.

On the other hand, a network configuration including not only a PC butalso a home electric appliance is constructed even in a generalhousehold. Thus, a so-called ubiquitous environment, in which any devicecan access the network, is being constructed. Moreover, because of thediffusion of a wireless LAN or the like, it becomes easy for acommunicable device to get into the wireless LAN from outside. In such anetwork environment, unauthorized access to the network-connected deviceis more likely to occur. Therefore, the possibility of exploitation ofconfidential information, unauthorized read of the contents or the likeimplemented by unauthorized access becomes more and more likely. In sucha condition, an appropriate access control configuration is expected tobe easily realized without imposing a burden on a general user.

DISCLOSURE OF THE INVENTION

The present invention is devised in view of the above problems and hasan object of providing an information processing apparatus, an accesscontrol processing method and a computer program, which enable an accesscontrol process in different forms based on a plurality of modes inaccess control of the information processing apparatus receiving accessrequests from various devices via a network so as to reduce a burden ona user and to allow the prevention of unrestrained access from anunspecified number of clients.

A first aspect of the present invention is an information processingapparatus for executing an access control process, characterized byincluding: a memory section storing a MAC address table in which amanually registered client MAC address and an automatically registeredclient MAC address are registered in forms to be able to distinguisheach other; and an access control section for executing different accesscontrol processes, in response to an access request from a client, inaccordance with an access control mode set in the information processingapparatus being an automatic registration access control mode or aregistered device access control mode, wherein the access controlsection has a structure in that: if the access control mode set in theinformation processing apparatus is the automatic registration accesscontrol mode, a MAC addresses of an access requesting client isregistered until the number of the MAC address reaches a defined limitnumber of registration: N of the MAC address table, and the accesscontrol process for allowing the access from the client is executedunder the condition of the registration process; and if the accesscontrol mode set in the information processing apparatus is theregistered device access control mode, the access control process forallowing the access from the client is executed under the condition thatthe MAC address of the access requesting client is registered in the MACaddress table as the manually registered MAC address.

Furthermore, an embodiment of the information processing apparatus ofthe present invention is characterized in that if the access controlmode set in the information processing apparatus is the automaticregistration access control mode, the access control section identifiesthe type of the access request from the client and registers the MACaddress of the client up to the defined limit number of registration: Nof the MAC address table only in the case where the type of theidentified access request corresponds to the type of access request towhich access control should be executed, and executes the access controlprocess for allowing the access from the client under the condition ofthe registration process.

Furthermore, an embodiment of the information processing apparatus ofthe present invention is characterized in that the type of accessrequest to which the access control should be executed includes at leastone of a content request process based on an HTTP (Hyper Text TransferProtocol)-GET method and a control request process based on a SOAP(Simple Object Access Protocol).

Furthermore, in an embodiment of the information processing apparatus ofthe present invention, the information processing apparatus ischaracterized by including a registration processing section forexecuting a process for registering a client MAC address in the MACaddress table as the manually registered client MAC address under thecondition that a manual registration process in accordance with apredefined MAC address registration process sequence is executed.

Furthermore, in an embodiment of the information processing apparatus ofthe present invention, the information processing apparatus ischaracterized by including a registration processing section forexecuting a setting change process for changing an automaticallyregistered client MAC address entry in the MAC address table as amanually registered client MAC address entry under the condition that amanual registration process in accordance with a predefined MAC addressregistration process sequence is executed for the MAC address registeredas the client MAC address automatically registered in the MAC addresstable.

Furthermore, a second aspect of the present invention is an accesscontrol processing method in an information processing apparatus beingcharacterized by including: an access request receiving step ofreceiving an access request from a client; a mode determining step ofdetermining an access control mode set in the information processingapparatus is an automatic registration access control mode or aregistered device access control mode; and an access control step ofexecuting an access control process for registering a MAC address of anaccess requesting client up to a defined limit number of registration: Nof a MAC address table, and for allowing the access of the client underthe condition of the registration process, if the set access controlmode is the automatic registration access control mode; and of executingan access control process for allowing the access of the client underthe condition that the MAC address of access requesting client isregistered in the MAC address table as a manually registered MAC addressif the set access control mode is the registered device access controlmode.

Furthermore, an embodiment of the access control processing method ofthe present invention is characterized in that the access control modeset in the information processing apparatus is the automaticregistration access control mode, the access control step identifies thetype of access request from the client, registers the MAC address of theclient up to the defined limit number of registration: N of the MACaddress table only in the case where the type of identified accessrequest corresponds to the type of access request to which a predefinedaccess control should be executed, and executes a process for allowingthe access of the client under the condition of the registrationprocess.

Furthermore, an embodiment of the access control processing method ofthe present invention is characterized in that the type of request towhich the access control should be executed includes at least one of acontent request process based on an HTTP (Hyper Text TransferProtocol)-GET method or a control request process based on a SOAP(Simple Object Access Protocol).

Furthermore, in an embodiment of the access control processing method ofthe present invention, the access control processing method ischaracterized by further including a registration process step ofexecuting a process of registering a client MAC address in the MACaddress table as the manually registered client MAC address under thecondition that a manual registration process in accordance with apredefined MAC address registration process sequence is executed.

Furthermore, in an embodiment of the access control processing method ofthe present invention, the access control processing method ischaracterized by further including a registration process step ofexecuting a setting change process for changing an automaticallyregistered client MAC address entry to a manually registered client MACaddress entry in the MAC address table, under the condition that amanual registration process in accordance with a predefined MAC addressregistration process sequence is executed for a MAC address registeredin the MAC address table as an automatically registered client MACaddress.

Furthermore, a third aspect of the present invention is a computerprogram for executing an access control process in an informationprocessing apparatus, the computer program being characterized byincluding: a mode determining step of determining an access control modeset in the information processing apparatus is an automatic registrationaccess mode or a registered device access control mode; and an accesscontrol step of executing an access control process for registering aMAC address of an access requesting client up to a defined limit numberof registration: N of a MAC address table, if a set access control modeis the automatic registration access control mode, and for allowing theaccess of the client under the condition of the registration process;and of executing an access control process for allowing the access ofthe client under the condition that the MAC address of the accessrequesting client is registered in the MAC address table as a manuallyregistered MAC address, if the set access control mode is the registereddevice access control mode.

In the structure of the present invention, the MAC address table is set,in which a manually registered client MAC address and an automaticregistered client MAC address are registered in such a form that theycan be distinguished from each other. If the access control mode is theautomatic registration access control mode, the MAC address of an accessrequesting client is registered up to the defined limit number ofregistration: N of the MAC address table, the access control process forallowing the access of the client is executed under the condition of theregistration process. If the access control mode is a registered deviceaccess control mode, the access control process for allowing the accessof the client is executed under the condition that the MAC address ofthe access requesting client is registered in the MAC address table as amanually registered MAC address. Therefore, even in the case where themanual registration process is not executed by the user, unrestrainedaccess is prevented. For example, the acquisition of the contents storedin the server from an unspecified number of clients and the like can beprevented. Furthermore, by setting the mode to the registered deviceaccess control mode, the execution of strict access control can beexecuted.

Furthermore, according to the structure of the present invention, thetype of the access request from the client is identified in theautomatic registration access control mode. Only if the type of theidentified access request corresponds to the type of access request towhich a predefined access control should be executed, for example, acontent request process based on an HTTP (Hyper Text TransferProtocol)-GET method or a control request process based on a SOAP(Simple Object Access Protocol), the MAC address of the client isregistered up to the defined limit number of registration: N of the MACaddress table. The access allowance is executed under the condition ofthe registration process. Therefore, since unnecessary access controlcan be prevented from being performed in a device discovery process, aninformation acquisition process or the like in an UPnP or the like.

The computer program of the present invention is, for example, acomputer program for a general-propose computer system capable ofexecuting various program codes, for example, a recording medium or acommunication medium, which is provided in a computer-readable form, anda recording medium such as a CD, an FD and an MO, that can be providedby a communication medium such as a network. By providing such a programin a computer-readable form, a process in accordance with the programcan be realized on a computer system.

The other objects, features and advantages of the present invention willbe apparent from the detailed description based on the followingembodiments of the present invention and the accompanying drawings. Thesystem in this specification means a logical assembly structure of aplurality of apparatuses, and therefore it is not limited to thoseincluding the apparatuses having the respective structures within thesame housing.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is an exemplary network configuration to which the presentinvention is applicable;

FIG. 2 is a diagram illustrating an exemplary configuration of anetwork-connected device;

FIG. 3 is a diagram illustrating a MAC address table included in aninformation processing apparatus according to the present invention andan access control process;

FIG. 4 is a flowchart illustrating the access control process executedby the information processing apparatus of the present invention;

FIG. 5 is a diagram showing a packet structure transmitted from aclient;

FIG. 6 is a flowchart illustrating the access control process executedby the information processing apparatus of the present invention;

FIG. 7 is a functional block diagram showing an access control processconfiguration of the information processing apparatus of the presentinvention;

FIG. 8 is a diagram showing an exemplary user interface structuredisplayed on a display of the information processing apparatus executingthe access control process;

FIG. 9 is a diagram showing exemplary data of an HTTP-GET headercontained in an access request from a client;

FIG. 10 is a sequence diagram showing an example of a manualregistration process sequence of a MAC address;

FIG. 11 is a block diagram showing a functional structure of a server;and

FIG. 12 is a block diagram showing a functional structure of a client.

BEST MODE FOR CARRYING OUT THE INVENTION

Hereinafter, an information processing apparatus, an access controlprocessing method and a computer program of the present invention willbe described in detail with reference to the drawings.

[System Outline and MAC Address Table]

First, with reference to FIG. 1, an exemplary network configuration, towhich the present invention is applicable, will be described. FIG. 1shows a configuration, for example, a home network configuration, inwhich a server 101 for executing processes in accordance with processingrequests from various client devices, PCs 121, 122 and 124 correspondingto client devices and mobile communication terminals 123 and 125 such asPDAs or cell phones for making processing requests to the server 101 areconnected through a network 100.

The process executed by the server 101 in response to a request from aclient are, for example, the provision of the contents stored in storagemeans such as a hard disk held by the server 101, a data processingservice by the execution of an application program executable by theserver, or the like. In FIG. 1, the server 101, the PCs 121, 122 and 124serving as the other client devices, the personal communicationassistants 123 and 125 such as the PDAs and the cell phones areillustrated in a distinct manner. However, a device for providing aservice in response to a request from a client is illustrated as aserver, and therefore, any of the client devices can provide a functionas a server if it provides its own data processing service to anotherclient. Therefore, the network-connected client device shown in FIG. 1may become a server.

The network 100 may be any of wired and wireless networks and the like.Each of the connected devices has a MAC (Media Access Control) address.Each of the network-connected devices transmits and receives via thenetwork 100 a packet having a destination MAC address and a source MACaddress as header information, for example, an Ethernet (registeredtrademark) frame. Specifically, the client transmits an Ethernet framehaving a data portion of the frame, which stores processing requestinformation, to the server 101 so as to execute a data processingrequest to the server 101. In response to the reception of theprocessing request frame, the server 101 performs an access authoritydetermination process described below, executes data processing underthe condition that it is determined to have authority, stores resultdata corresponding to the results of the data processing in the dataportion of the Ethernet frame as needed and transmits it to each client.

The network-connected device is constituted by, for example, a UniversalPlug and Play (UPnP)-compatible device. Therefore, the structure allowseasy addition and deletion of a connected device to/from the network. Adevice to be connected to the network can receive a service using anetwork-connected device by implementing the below-described processingprocedure:

-   (1) Addressing process for acquiring its own device ID such as an IP    address;-   (2) Discovery process for searching each device on a network to    acquire a response from each device so as to acquire information    such as device type or a function contained in the response; and-   (3) Service request process for making a request for a service to    each device based on information acquired by the discovery process.

An exemplary hardware structure of the information processing apparatussuch as a PC constituting the server and the client device shown in FIG.1 will be described with reference to FIG. 2.

A CPU (Central Processing Unit) 301 executes various processes inaccordance with a program stored in a ROM (Read Only Memory) 302, a HDD304 or the like and functions as data processing means or communicationcontrol processing means. A RAM 303 appropriately stores a programexecuted by the CPU 301 or data. The CPU 301, the ROM 302, the RAM 303and the HDD 304 are interconnected via a bus 305.

An input/output interface 306 is connected to the bus 305. An inputsection 307 composed of, for example, a keyboard, a switch, a button, amouse or the like, which is operated by a user, and an output section308 composed of an LCD, a CRT, a speaker or the like for presentingvarious information to the user are connected to the input/outputinterface 306. Furthermore, a communication section 309 functioning asdata transmitting/receiving means, and in addition, a removablerecording medium 311 such as a magnetic disk, an optical disc, amagneto-optical disc or a semiconductor memory can be inserted. A drive310 for executing a data reading or writing process from/to theseremovable recording media 311 is connected.

The configuration shown in FIG. 2 is an example of the server or apersonal computer (PC) as an example of the network-connected deviceshown in FIG. 1. However, the network-connected device is not limited tothe PC. It can be constructed by a mobile communication terminal such asa cell phone or a PDA or other various electronic devices andinformation processing apparatuses as shown in FIG. 1. Therefore, it canhave a hardware structure unique to each of the devices and executes aprocess in accordance with the hardware.

In the present invention, the information processing apparatuscorresponding to the network-connected device for performing accesscontrol stores a MAC address table, in which MAC addresses ofnetwork-connected devices having access authority are registered, as adevice list of the network-connected devices having access authority,and executes the access control process based on the MAC address table.

The information processing apparatus for executing the access controlbased on the MAC address table has two access control modes, that is:

-   (1) automatic registration access control mode; and-   (2) registered device access control mode.

In (1) the automatic registration access control mode, when theinformation processing apparatus, which executes the access controlbased on the MAC address table, receives an access request from anexternal device (client), it acquires a source MAC address (client MACaddress) from the access request packet and determines whether or not itis identical with the registered MAC address registered in the MACaddress table stored in the information processing device. If they areidentical, the access is allowed. If not, the MAC address acquired fromthe access request packet is automatically registered in the MAC addresstable and allows the access under the condition of the execution of theregistration process.

However, the number of MAC addresses to be registered in the MAC addresstable is preset to a limit number of registration: N (for example, N=5,10, 15, 63 etc.). Only if the number of MAC addresses to be registeredin the MAC address table does not reach the limit number ofregistration: N, the automatic registration process of the MAC addressis executed. After the automatic registration process, the access isallowed.

In (2) the registered device access control mode, in the case where theinformation processing apparatus, which executes the access controlbased in the MAC address table, receives the access request from theexternal device (client), it acquires the source MAC address (client MACaddress) from the access request packet and determines whether or not itis identical with the manually registered MAC address which is subjectedto the manual registration process in accordance with a predefined MACaddress registration process sequence among the registered MAC addressesregistered in the MAC address table stored in the information processingapparatus. If it is identical with the manually registered MAC address,the access is allowed. If not, a process for not allowing the access isexecuted in this mode.

In the information processing apparatus of the present invention, theabove-described two modes can be appropriately switched. In each of theset modes, the access control in the above-described form is executed.

An exemplary structure of the MAC address table (MAC list) stored in thememory section so that the information processing apparatus of thepresent invention performs the access control will be described withreference to FIG. 3. An information processing apparatus 410 serving asthe network-connected device for performing the access control receivesan access request from various information processing apparatuses 421 to423 connected via a network and collates a source MAC address containedin the access request and a MAC address stored in a MAC address table(MAC list) 411 with each other.

The MAC address table (MAC list) 411 stored in the memory section of theinformation processing apparatus 410 has a table structure allowing thestorage of entries up to the limit number of registration: N asillustrated, and stores MAC address data in the above-describedautomatic registration control mode or manually registered in accordancewith a predefined sequence.

Moreover, data indicating whether or not the registered MAC addresscorresponds to manually registered data is set in the MAC address table(MAC list) 411 as data correlated with each of the MAC addresses.

More specifically, manual registration identification data, whichindicates that it is a MAC address registered by a manual registrationprocess in accordance with the preset registration sequence or anautomatically registered address in the above-described automaticregistration access control mode, is set in the MAC address table 411 incorrelation with each of the registered MAC addresses. In FIG. 3, theentry indicated with a symbol “o” in a manual registration fieldcorresponds to a MAC address registered by the manual registrationprocess in accordance with the preset registration sequence.

The MAC address table is stored in the memory section (non-volatilememory) in the information processing apparatus (server) serving as thenetwork-connected device for performing the access control. The MACaddress table has a structure for storing the registered data of eachclient by slot and stores one piece of registered client information foreach slot. To the registration information, in addition to the MACaddress of a client and information indicating whether it is manuallyregistered or not as illustrated, information such as a client name thatcan be arbitrary set by a user and registration date/time may be storedalthough not shown in the drawing.

[Access Control Process in Accordance with the Mode]

Next, an access control process sequence executed by the informationprocessing apparatus serving as the network-connected device forperforming the access control will be described with reference to a flowof FIG. 4.

At Step S101, the information processing apparatus serving as thenetwork-connected device for performing the access control receives anaccess request from another network-connected device. The descriptionwill be made assuming that the information processing apparatus servingas the network-connected device for performing the access control is aserver and the information processing apparatus executing the accessrequest is a client.

An exemplary structure of an access request packet (Ethernet frame)transmitted from the client is shown in FIG. 5. The packet is dividedinto a header portion, a data portion and a trailer portion. The headerportion includes a synchronizing signal, a packet start code, adestination MAC address, a source MAC address, and packet length andtype.

The data portion includes, for example, data generated in accordancewith a TCP/IP communication protocol. For example, an IP packetincluding source and destination IP addresses is stored therein.

The server executes a different process depending on its own accesscontrol mode; (1) the automatic registration access control mode or (2)the registered device access control mode. The server identifies its ownmode at Step S102. If it is in (1) the automatic registration accesscontrol mode, a process after Step S103 is executed.

At Step S103, a MAC address of an access requesting source is acquiredfrom the packet received from the client. A collation process with theMAC address registered on the MAC address table (see FIG. 3) stored inthe memory section of the server and determines whether or not it isalready registered. If it is already registered (Step S103: Yes), theprocess proceeds to Step S106 and allows the access to execute a processin accordance with the request of the client.

If it is not registered yet (Step S103: No), the process proceeds toStep S104 so as to determine whether or not the number of MAC addressesalready registered in the MAC address table reaches a limit number ofregistration: N set in the server, that is, the number of registered MACaddresses<the limit number of registration: N is established.

If the number of registered MAC addresses<the limit number ofregistration: N is established (Step S104: Yes), the source MAC addressset in the header portion of the packet received from the client isregistered in the MAC address table. Thereafter, the access is allowedat Step S106 and executes a process in accordance with the request ofthe client.

If the number of registered MAC addresses>the limit number ofregistration: N is not established (Step S104: No), specifically, thelimit number of registration: N of MAC addresses are already registeredin the MAC address table, the automatic registration cannot be executedany more. Therefore, the access request from the client is refused atStep S107 without executing the registration process of the MAC address.

On the other hand, if it is determined that its own mode is (2) theregistered device access control mode at Step S102, the process proceedsto Step S111 and acquires the MAC address of the access requestingsource from the packet received from the client. Then, it is determinedwhether or not it is identical with a manually registered MAC addresswhich is subjected to a manual registration process in accordance with apredefined MAC address registration process sequence among the MACaddresses registered in the MAC address table (see FIG. 3) stored in thememory section of the server.

More specifically, in FIG. 3, only the entry indicated with “o” in themanual registration field becomes a MAC address entry to be subjected toa collation process. If the source MAC address (client MAC address) isidentical with the manually registered MAC address entry (Step S111:Yes), the process proceeds to Step S106 and allows the access to executea process in accordance with a request of the client.

On the other hand, if the source MAC address is not identical with themanually registered MAC address entry (Step S111: No), the processproceeds to Step S112 to refuse the access.

In the case of the registered device access control mode, even if thesource MAC address is identical with the MAC address automaticallyregistered in the MAC address table, the access is refused.

If the information processing apparatus (server) serving as thenetwork-connected device for performing the access control is in (1) theautomatic registration access control mode, the server determines theform of a request from a client. Only in the case of an access requestin a specific category, the access control is executed, that is, thecollation with the MAC address table and the automatic registrationprocess are executed. If it is not an access request in a specificcategory, the request from the client may be satisfied without executingthe access control, that is, without executing the collation with theMAC address table and the automatic registration process.

The access request in a specific category corresponds to, for example, arequest for acquisition of the contents held by the server or a controlrequest to the server. For example, in an UPnP device, the request foracquisition of the contents held by the server is executed based on anHTTP (Hyper Text Transfer Protocol) GET method with a content URL(Uniform Resource Locators) being specified as an identifier of thecontents. For the control request to the server, a SOAP (Simple ObjectAccess Protocol) protocol is used.

If the information processing apparatus (server) serving as thenetwork-connected device for performing the access control is in (1) theautomatic registration access control mode, the collation with the MACaddress table as the access control process and the automaticregistration process are executed only in the case where a request fromthe client is the HTTP (Hyper Text Transfer Protocol) GET method with acontent URL (Uniform Resource Locators) being specified or the controlrequest to the server based on the SOAP (Simple Object Access Protocol)protocol, and the access request is allowed under the condition that itis already registered on the MAC address table. If the access from theclient is other than the content acquisition request based on theHTTP-GET method or the control request based on the SOAP, for example, adiscovery request as a device discovering process in the UPnP, therequest from the client is unconditionally accepted without executingthe collation with the MAC address table as the access control processand the automatic registration process and a response is given.

A sequence for determining the type of a request from a client todetermine whether or not the collation with the MAC address table as theaccess control process and the automatic registration process are to beexecuted to implement the process will be described with reference to aflowchart in FIG. 6.

A process flow in FIG. 6 corresponds to a process in the case where theinformation processing apparatus (server) serving as thenetwork-connected device for performing the access control is in theautomatic registration access control mode.

At Step S201, the information processing apparatus serving as thenetwork-connected device for performing the access control receives anaccess request from another network-connected device. At Step S202, itis determined that the access request from the client is the contentacquisition request based on the HTTP-GET method or the control requestbased on the SOAP.

If the access request from the client is the content acquisition requestbased on the HTTP-GET method or the control request based on the SOAP(Step S202: Yes), the MAC address of the access requesting source isacquired from the received packet at Step S203 to execute the collationprocess with the MAC address registered in the MAC address table (seeFIG. 3) stored in the memory section of the server so as to determinewhether it is already registered or not. If it is already registered(Step S203: Yes), the process proceeds to Step S206 to allow the accessand executes a process in accordance with the request of the client.

If it is not registered yet (Step S203: No), the process proceeds toStep S204 and determines whether or not the number of MAC addressesalready registered in the MAC address table reaches the limit number ofregistration: N set in the server, that is, the number of registered MACaddresses<the limit number of registration: N is established.

If the number of registered MAC addresses >the limit number ofregistration: N is established (Step S204: Yes), the source MAC addressset in the header portion of the packet received from the client isregistered in the MAC address table. Thereafter, the access is allowedat Step S206 so as to execute a process in accordance with the requestof the client.

If the number of registered MAC addresses>the limit number ofregistration: N is not established (Step S204: No), specifically, thelimit number of registration: N of MAC addresses are already registeredin the MAC address table, the automatic registration cannot be executedany more. Therefore, the access request from the client is refused atStep S207 without executing the registration process of the MAC address.

On the other hand, if it is determined the access request from theclient is neither the content acquisition request based on the HTTP-GETmethod nor the control request based on the SOAP at Step S202, theprocess proceeds to Step S206 without executing the collation with theMAC address table and the automatic registration process to allow theaccess and a process is executed in accordance with the request of theclient.

FIG. 7 shows a functional block diagram illustrating the access controlprocess of the network-connected device (server) for performing theaccess control. The server includes: a packet transmitting/receivingsection 501 for executing the transmission/reception of a packet via anetwork; a packet generating/analyzing section 502 for analyzing apacket received via the packet transmitting/receiving section 501 andgenerating a packet to be transmitted via the packettransmitting/receiving section 501; a registration process executingsection 503 for determining whether the registration in the MAC addresstable is possible or not based on a packet received from a client andfor executing a registration process of a MAC address if it isdetermined that the registration is possible; a memory section 504storing a MAC address table; an access control process executing section505 for determining whether or not a client making a request for dataprocessing is registered in the MAC address table and executes an accessallowance determination process based on various data processing requestpackets to the server; a data processing section 507 for executing dataprocessing requested by a client under the condition of determination ofallowable access in the access control process executing section 505;and a mode information memory section 506 for storing mode informationindicating that the server is in (1) the automatic registration accesscontrol mode or in (2) the registered device access control mode.

The registration process executing section 503 and the access controlprocess executing section 505 execute a different process depending onthe mode setting information set in the mode information memory section506, that is, depending on in which of the two modes it is, (1) theautomatic registration access control mode and (2) the registered deviceaccess control mode. For example, if it is in (1) the automaticregistration access control mode, the registration process executingsection 503 executes the determination whether the automaticregistration is allowed or not based on the number of entries registeredin the MAC address table stored in the memory section 504 and executesthe registration process under the condition that the number is lessthan the limit number.

Moreover, the registration process executing section 503 also executesthe registration allowance determination process. Specifically, itexecutes a process for determining whether or not a process inaccordance with the predefined manual registration process sequence andthe like is executed. A detailed example of the manual registrationprocess will be described below.

FIG. 8 shows an example of the MAC address table displayed on a displayin the network-connected device (server) for executing the accesscontrol and a user interface for executing the mode setting process.

On a display 650 of the server, a MAC address table 651 consisting ofclient device names, MAC addresses and data indicating whether it ismanually registered or not is displayed. Furthermore, a current set modeinformation display section 652, a user input section 653 including amode switching section 654 and a registration confirmation button 655for registering a MAC address in the manual registration process, and auser interface (UI) including a deletion button 656 for deleting anentry registered in the MAC address table 651 are displayed.

An HTTP-extension header (X-AV-Client-Info) indicating sourceinformation as shown in FIG. 9 is added to all the HTTP-GET methods andthe SOAPs corresponding to access requests from a client. On the display650, a display process based on the information is performed. Morespecifically, for example, as shown in FIG. 9, the HTTP-extension header(X-AV-Client-Info) consisting of:GET/tracks/track?id=254 HTTP/1.1 ¥r¥nHost:192.254.32.11:80 ¥r¥nX-AV-Client-Info: av=2.0 ; cn=“Sony Corporation” ;mn=Linux-Sample-CP ;mv=2002-11-22-2.0 ¥r¥n is transmitted from a client.

A user displays the UI as shown in FIG. 8 on the display of the serverand can excuse the switching of the mode as well as the confirmation ofthe MAC address registered in the MAC address table. Furthermore, he/sheexecutes a deletion process of the MAC address registered in the MACaddress table as needed.

[Manual Registration Process]

Next, a procedure of the manual registration process of the MAC address,executed by the information processing apparatus for implementing theaccess control, will be described with reference to a sequence diagramin FIG. 10. The example shown in FIG. 10 is merely an example of the MACaddress registration process that is manually performed, and thereforeit is not necessarily indispensable to execute the manual registrationin accordance with this example. However, the entry is set only for theMAC address of a client, which is subjected to predefined manualregistration, as a MAC address manually registered in the MAC addresstable (MAC list) shown in FIG. 3.

The sequence shown in FIG. 10 corresponds to a MAC registration processsequence based on device authentication using a password. First, at StepS301, a user presses down a registration button provided on the client(controller) side. As a result, in accordance with a user signal A (USA)generated in response to the press of the registration button, theclient device broadcast transmits a MAC address registration request viaa network at Step S302. The broadcast transmitting of the MAC addressregistration request is executed, for example, every three seconds so asto last for several minutes.

After pressing the registration button provided on the client(controller) side, the user moves to the server (device) side. Then, atStep S303, he/she presses a confirmation button provided on the serverside. As a result, in accordance with a user signal B (USB) generated inresponse to the press of the confirmation button, the server receivesthe MAC address registration request for a defined period of time, forexample, for 10 seconds at Step S304.

In the case where the server receives the MAC address registrationrequest from the same source (MAC address) during 10 seconds, ittemporarily stores the MAC address in the MAC address table (MAC list)(see FIG. 3). Thereafter, it generates a device signal A (DSA) fordisplaying a message “Device discovered. Do you register it?” to theuser (S305) and waits for a predetermined period of time (for example,for 1 minute) in this state.

If the server refers to the MAC address table and determines that it isthe MAC address registration request from the client which is alreadymanually registered, it transmits a notice implying the completion ofthe MAC registration to terminate the MAC address registration process.Specifically, the server does not register the same MAC address twice.

However, in the case of the manual registration process of the MACaddress that is identical with the MAC address registered in the MACaddress table by the automatic registration process even though it isnot manually registered yet, the server performs a process of changingthe MAC address data entry registered in the MAC address table from theautomatic registration entry to the manual registration entry.

In the change process, the server executes a process of setting anidentifier indicating the completion of the manual registration in amanual registration field corresponding to the entry of the MAC addressdata being subjected to the automatic registration process in the MACaddress table.

While the server is waiting for a predetermined period of time (forexample, one minute) with the device signal A (DSA) displaying themessage “Device discovered. Do you register it?” being generated at StepS305, the user presses down the confirmation button (the registrationconfirmation button 655 in FIG. 8) provided on the server side at StepS306. Then, in accordance with a user signal C (USC) generated inresponse to the press of the confirmation button, the server transmits aMAC registration confirmation request to the client at Step S307. Apassword request flag is added to the MAC registration confirmationrequest.

Upon reception of the MAC registration confirmation request with thepassword request flag, the client generates a device signal fordisplaying a message “Enter a password for a device “XXXX”” for the userbased on the password request flag contained in the received MACregistration confirmation request and waits for the entry of thepassword for a predetermined period of time (for example, 5 minutes) atStep S308.

Furthermore, the client stops transmitting the MAC address registrationrequest and then returns a MAC registration confirmation response to theserver at Step S309.

When the server receives the MAC registration confirmation response, itgenerates a password (one-time password) at Step S310 to generate adevice signal C (DSC) for displaying a message “A password for a client(controller) “YYYY” is “OOOO”” for the user. It waits for apredetermined period of time (for example, 5 minutes) while the passwordis being presented.

On the other hand, on the client side, when the user enters the passwordat Step S311 during a password entry waiting period, the clienttransmits the entered password to the server at Step S312.

Upon reception of the password from the client, the server executes thecollation process of the password that is generated at Step S310 to bepresented to the user on the server side with the received password. Ifthe password received from the client and the generated password areidentical with each other, the server sets the MAC address of the clientin the MAC address table (MAC list) (see FIG. 3) as an official entry.At the same time, it sets identification data (such as a flag)indicating that it is manually registered. Alternatively, the automaticregistration entry is changed to the manual registration entry.

After the completion of the registration of the MAC address, the servergenerates a device signal D (DSD) for displaying a message “The client(controller) “YYYY” is successfully registered” for the user at StepS314 and then returns a password response with collation OK to theclient at Step S315.

When the client receives the password response as a MAC addressregistration notice based on the password collation OK from the server,it generates a device signal E (DSE) for displaying a message “Theregistration on the device “XXXX” is successfully performed” for theuser at Step S316 because it is determined that the MAC address isauthorized to be registered, thereby terminating the manual registrationprocess with the device authentication of the MAC address.

If the password transmitted from the client is unauthorized, that is,the password received from the client and the password generated by theserver are not identical with each other, the server returns a passwordresponse with collation NG to the client and waits for the second entryof the password from the client. If the password collation NGsuccessively occurs three times during the waiting period, the serverinterrupts the retrial of the password entry, displays a message “Thecontroller “YYYY” cannot be registered” for the user, and terminates theprocess without executing the registration of the MAC address of theclient.

Only the MAC address of the client that executes the manual registrationprocess of the MAC address described above is registered as a manuallyregistered MAC address in the MAC address table.

If the server is in the “registered device access control mode”, accessonly from these manually registered clients is allowed.

[Functional Structures of the Server and the Client]

The hardware structures of the server and the client device are asdescribed above with reference to FIG. 2. The above-described variousprocesses are executed by the CPU corresponding to a control section inaccordance with a program stored in a memory section of each of theserver and the client.

The processes executed by the CPU are, on the server side, for example,inputting a request from the client, analyzing the input information andregistering in the MAC address table (MAC list), that is, a process ofregistering to the access control information based on the results ofanalysis, generating a packet to be transmitted and received to/from theclient and analyzing process, further, outputting various messages inthe registration process and a process of analyzing the user inputinformation, and the like. The processes on the client side aregenerating and transmitting of various request packets to the server, aprocess of analyzing a packet received from the server, furtheroutputting of various messages in the registration process, a process ofanalyzing the user input information and the like.

These processes are basically executed in accordance with a processingprogram prestored under the control of the CPU serving as the controlsection of each of the server and the client device. The processesexecuted by the CPU serving as a control section, data stored in thememory section and the like will be described with reference to FIGS. 11and 12. FIG. 11 is a block diagram illustrating a principal functionalstructure of the server, whereas FIG. 12 is a block diagram illustratinga principal functional structure of the client.

First, with reference to the block diagram of FIG. 11 illustrating thefunctional structure of the server, the functional structure of theserver will be described. A packet transmitting/receiving section 701transmits a packet to the client and receives a packet from the client.A packet generating/analyzing section 702 performs a process ofgenerating a packet to be transmitted and a process of analyzing areceived packet. This corresponds to address setting of the packet,address recognition, data storage in a data storage section of thepacket, a data acquisition process from the data storage section, andthe like.

A data input section 703 is a keyboard, a user interface or the like forexecuting data entry by the user. A data output section 704 is an outputsection such as a display for displaying message data and the like.

An access control process executing section 705 executes the accesscontrol process in (1) the automatic registration access control modeand the access control process in (2) the registered device accesscontrol mode, which have been described above with reference to FIGS. 4and 6.

A registration processing section 706 executes the MAC addressregistration process executed in correspondence with access in (1) theautomatic registration access control mode and the manual registrationprocess described above with reference to FIG. 10. More specifically,the registration processing section 706 executes a process forregistering the client MAC address in the MAC address table as amanually registered MAC address under the condition that the process inaccordance with the predefined MAC address registration process sequencehas been executed, for example, as in the manual registration processdescribed with reference to FIG. 10.

Furthermore, in the case where the MAC address that is subjected to themanual registration process in accordance with the predefined MACaddress registration process sequence is registered in the table as theautomatically registered MAC address, the registration processingsection 706 executes a setting change process for changing theautomatically registered client address entry to the manually registeredclient MAC address entry.

A data processing section 707 executes a process corresponding to arequest from the client whose access is allowed, for example, a contentacquisition process or the like. A memory section 708 stores variousdata processing programs such as an access control processing program711 to be executed in the access control process executing section 705and a MAC address registration processing program 712 to be executed inthe registration processing section 706. Furthermore, a MAC addresstable 713, which has been described with reference to FIG. 3 and, inaddition, mode information 714 set in the server are stored. The serverfurther stores the contents to be provided for the client, metadatacorresponding to the contents and the like.

Next, the functional structure of the client device will be describedwith reference to FIG. 12. A packet transmitting/receiving section 801transmits a packet to the server and receives a packet from the server.A packet generating/analyzing section 802 performs a process ofgenerating a packet to be transmitted and a process of analyzing areceived packet. This corresponds to address setting of the packet,address recognition, data storage in a data storage section of thepacket, a data acquisition process from the data storage section, andthe like.

A data input section 803 is a keyboard, a user interface or the like forexecuting data entry by the user. A data output section 804 is an outputsection such as a display for displaying message data and the like.

An access request process executing section 805 executes various accessrequest processes to the server such as a content acquisition requestand a control request. An address registration process executing section806 executes a manual registration process of the MAC address, which hasbeen described with reference to FIG. 10.

A data processing section executes various data processing such as aprocess of reproducing the contents acquired from the server. A memorysection 808 stores processing programs such as an address registrationprocessing program 811 executed in the address registration processexecuting section 806 and, in addition, a MAC address 812 of the client.

The server and the client have the respective functions shown in FIGS.11 and 12 and execute each of the various processes described above inview of function. However, the block diagrams shown in FIGS. 11 and 12are for illustrating the functions, and it is not indispensable for theserver and the client to have hardware corresponding to the blocks shownin FIGS. 11 and 12. More specifically, various processing programs areexecuted under the control of the CPU in the structure of the PC or thelike shown in FIG. 2 so as to execute the process described withreference to each of the blocks shown in FIGS. 11 and 12 or each of theprocesses described in the above-described detailed description of thepresent invention.

The present invention has been described in detail above with referenceto specific embodiments. However, it is obvious that those skilled inthe art can modify or substitute the embodiments without departing fromthe gist of the present invention. Specifically, the present inventionis disclosed only by way of example, and therefore the description ofthe specification should not be read in a limited way. In order todetermine the gist of the present invention, the claims should be takeninto consideration.

A series of processes described in the specification can be executed byhardware, software or a combined structure of them. In the case wherethe process by the software is executed, a program, in which the processsequence is recorded, can be installed on a memory in a computerincorporated in a dedicated hardware so as to be executed, or a programcan be installed on a general-purpose computer capable of executingvarious processes so as to be executed.

For example, a program can be pre-recorded on a hard disk or a ROM (ReadOnly Memory) corresponding to a recording medium. Alternatively, aprogram may be temporarily or permanently stored in (recorded on) aremovable recording medium such as a CD-ROM (Compact Disc Read OnlyMemory), an MO (Magneto optical) disc, a DVD (Digital Versatile Disc), amagnetic disk or a semiconductor memory. Such a removable recordingmedium can be provided as so-called package software.

Besides the installation on a computer from the removable recordingmedium as described above, a program can be wirelessly transferred froma download site or can be wire transferred to a computer via a networksuch as the Internet so that the computer receives the thus transferredprogram to install it on a recording medium such as a built-in harddisk.

Various processes described in the specification may be executed notonly in time series in accordance with the description but also inparallel or individually in accordance with processing capacity of thedevice executing the process or the needs. In this specification, thesystem means a logical assembly structure of a plurality of apparatuses,and is not limited to those including the apparatuses having therespective structures within the housing.

INDUSTRIAL APPLICABILITY

As described above, in the structure of the present invention, a MACaddress table, in which a manually registered client MAC address and aclient MAC address being subjected to an automatic registration processare registered in such a form that they can be distinguished from eachother, is set. If an access control mode is an automatic registrationaccess control mode, the MAC address of a client making a request foraccess is registered up to a defined limit number of registration: N ofthe MAC address table so that the access control process for allowingaccess of the client is executed under the condition of the registrationprocess. If the access control mode is a registered device accesscontrol mode, an access control process for allowing the access of theclient is executed under the condition that the MAC address of theclient making the request for access is registered in the MAC addresstable as a manually registered MAC address. Therefore, even in the casewhere the manual registration process is not executed by the user,unrestrained access is prevented. For example, the acquisition of thecontents stored in the server from an unspecified number of clients andthe like can be prevented. Furthermore, by setting the mode to theregistered device access control mode, strict access control can beexecuted.

Furthermore, according to the structure of the present invention, thetype of the access request from the client is identified in theautomatic registration access control mode. Only if the type of theidentified access request corresponds to the type of access request towhich predefined access control should be executed, for example, acontent request process based on an HTTP (Hyper Text TransferProtocol)-GET method or a control request process based on a SOAP(Simple Object Access Protocol), the MAC address of the client isregistered up to a defined limit number of registration: N of the MACaddress table to execute the access allowance under the condition of theregistration process. Therefore, unnecessary access control can beprevented from being performed in a device discovery process, aninformation acquisition process or the like in an UPnP or the like.

1. An information processing apparatus for executing an access controlprocess comprising: a memory section for storing a MAC address table inwhich one or more manually registered client MAC addresses and one ormore automatically registered client MAC addresses are registered informs to distinguish each other; an access control section for executingdifferent access control processes, in response to an access requestfrom a client, in accordance with an access control mode set in theinformation processing apparatus, wherein the access control mode is anautomatic registration access control mode or a manually registereddevice access control mode; and a registration processing section forexecuting a setting change process for changing an entry of the one ormore automatically registered client MAC addresses to an entry of theone or more manually registered client MAC addresses in the MAC addresstable, wherein the access control section has a structure in that: ifthe access control mode is set as the automatic registration accesscontrol mode, one or more MAC addresses of an access requesting clientare registered until the number of MAC addresses reaches a defined limitnumber of registration and the access control process is executed undera condition of the registration process; if the access control mode isset as the manually registered device access control mode, the accesscontrol process is executed under the condition that the one or more MACaddresses of the access requesting client are registered in the MACaddress table as one or more manually registered MAC addresses; and ifthe access control mode is set as the automatic registration accesscontrol mode, the access control section identifies the type of accessrequest from the client and registers the one or more MAC addresses ofthe client up to the defined limit number of registration only in thecase where the type of the identified access request corresponds to thetype of access request to which access control should be executed, andexecutes the access control process for allowing access from the clientunder the condition of the registration process.
 2. The informationprocessing apparatus according to claim 1, characterized in that: thetype of access request to which access control should be executedincludes at least one of a content request process based on an HTTP(Hyper Text Transfer Protocol)-GET method and a control request processbased on a SOAP (Simple Object Access Protocol).
 3. The informationprocessing apparatus according to claim 1, wherein: the registrationprocessing section executes a process for registering the one or moreclient MAC addresses in the MAC address table as one or more manuallyregistered client MAC addresses under the condition that a manualregistration process in accordance with a predefined MAC addressregistration process sequence is executed.
 4. The information processingapparatus according to claim 1, wherein: the registration processingsection executes the setting change when a manual registration processin accordance with a predefined MAC address registration processsequence is executed for the one or more MAC addresses registered as theone or more automatically registered client MAC addresses in the MACaddress table.
 5. An access control processing method in an informationprocessing apparatus comprising: an access request receiving step ofreceiving an access request from a client; a mode determining step ofdetermining an access control mode set in the information processingapparatus is an automatic registration access control mode or a manuallyregistered device access control mode; an access control step ofexecuting an access control process for Registering one or more MACaddresses of an access requesting client up to a defined limit number ofregistration and for allowing access of said client under a condition ofthe registration process, if the set access control mode is theautomatic registration access control mode; and of executing an accesscontrol process for allowing access of the client under the conditionthat the one or more MAC addresses of access requesting client areregistered in the MAC address table as one or more manually registeredMAC addresses if the set access control mode is the manually registereddevice access control mode; a registration processing step of executinga setting change process for changing an entry of the one or moreautomatically registered client MAC addresses to an entry of the one ormore manually registered client MAC addresses in the MAC address table;and in the access control step, if the access control mode is set as theautomatic registration access control mode, the type of access requestfrom the client is identified, the one or more MAC addresses of theclient up to the defined limit number of registration are registeredonly in the case where the type of the identified access requestcorresponds to the type of access request to which a predefined accesscontrol should be executed, and a process for allowing access of theclient is executed under the condition of the registration process. 6.The access control processing method according to claim 5, characterizedin that: the type of request to which access control should be executedincludes at least one of a content request process based on an HTTP(Hyper Text Transfer Protocol)-GET method or a control request processbased on a SOAP (Simple Object Access Protocol).
 7. The access controlprocessing method according to claim 5, wherein: the registrationprocessing step executes a process for registering one or more clientMAC addresses in the MAC address table as the manually registered clientMAC addresses under the condition that a manual registration process inaccordance with a predefined MAC address registration process sequenceis executed.
 8. The access control processing method according to claim5, wherein: the registration process step executes the setting changewhen a manual registration process in accordance with a predefined MACaddress registration process sequence is executed for one or more MACaddresses registered in the MAC address table as automaticallyregistered client MAC addresses.
 9. A computer program, tangibleembodied in the computer-readable storage medium, for executing anaccess control process in an information processing apparatuscomprising: a mode determining step of determining an access controlmode set in the information processing apparatus is an automaticregistration access mode or a manually registered device access controlmode; an access control step of executing an access control process forregistering one or more MAC addresses of an access requesting client upto a defined limit number of registration if a set access control modeis the automatic registration access control mode, and for allowing theaccess of said client under the condition of the registration process;and of executing an access control process for allowing the access ofthe client under the condition that the one or more MAC addresses of theaccess requesting client are registered in the MAC address table as oneor more manually registered MAC addresses, if the set access controlmode is the registered device access control mode; a registrationprocessing step of executing a setting change process for changing anentry of the one or more automatically registered client MAC addressesto an entry of the one or more manually registered client MAC addressesin the MAC address table; and in the access control step, if the accesscontrol mode is set as the automatic registration access control mode,the type of access request from the client is identified, the one ormore MAC addresses of the client up to the defined limit number ofregistration are registered only in the case where the type of theidentified access request corresponds to the type of access request towhich a predefined access control should be executed, and a process forallowing access of the client is executed under the condition of theregistration process.